-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 12.20.02:
http://www.idefense.com/advisory/12.20.02.txt
Microsoft Hotmail Cross-Site Scripting (XSS) Flaws
December 20, 2002

I. BACKGROUND

Hotmail is the world's largest provider of free, Web-based e-mail. It is 
based on the premise that e-mail access should be easy and possible from 
any computer connected to the World Wide Web. Hotmail eliminates the 
disparities among e-mail programs by adhering to the universal Hypertext 
Transfer Protocol (HTTP) standard. More information is available at
http://www.hotmail.com

II. DESCRIPTION

The susceptibility of Microsoft Corp.'s MSN Hotmail to two cross-site 
scripting (XSS) attacks could allow attackers to infiltrate a targeted 
Hotmail user's e-mail account. Both attacks stem from incorrect or 
incomplete HTML filtering by Hotmail. 

Issue One: Session Hijacking 

While Hotmail does filter a number of HTML tags, it fails to filter the 
<textarea> tag. As such, an attacker could trick the Hotmail parser into 
treating a </textarea> tag as part of the literal value of a <td> 
background variable. Since the <textarea> tag does not rely on quotes and 
ends when it reaches a closing </textarea> tag, the attacker could insert 
a JavaScript routine that would not be filtered. 

The inserted routine could not contain any quotes, as Hotmail filters out 
such characters. This, however, could be overcome by using the 
String.fromCharCode() method, which converts an ASCII value to a string. 

Issue Two: Arbitrary Action Execution 

Hotmail does filter a number of variables, but it fails to filter the <td>
background variable. Knowing this, an attacker could dupe a targeted user 
into opening an HTML-enabled e-mail to generate a GET request on a Hotmail
server to execute an action. For example, Hotmail has filters in place 
that replace the following HTML: 

<td width=1 height=1 bgcolor=\" 
background='http://hotmail.msn.com/cgi-bin/dofolders?
m=&i=&FID_=&from=inbox&newfoldername=HACKED'></td> 

The HTML above is replaced with the following: 

<td width=1 height=1 bgcolor=\~ 
background='http://64.4.14.24/spacer.gif'></td> 

However, Hotmail does not properly filter URLs that are composed with 
backslashes. So the following HTML would filter incorrectly: 

<td width=1 height=1 bgcolor=\" 
background='http://hotmail.msn.com\cgi-bin\dofolders?
m=&i=&FID_=&from=inbox&newfoldername=HACKED'>/td> 

The HTML above becomes: 

<TD width=1 height=1 bgcolor=\~ 
background='http://hotmail.msn.com\cgi-bin\dofolders?
m=&i=&FID_=&from=inbox&newfoldername=HACKED'></td> 

When the page loads, the code would generate a GET request to the 
specified URL. The URL is in the Hotmail domain, thus the user's cookie 
would transmit with the request. The Hotmail server would process the 
request and create a folder named HACKED. 


III. ANALYSIS

Unlike most XSS attacks, which require a user to click on a tainted link, 
exploitation in this case only requires a Hotmail user to view a malicious
e-mail. Sending the e-mail from a forged e-mail address affords a greater 
chance for successful exploitation. Once an attacker compromises one 
Hotmail user's account, the attacker could then use that account to 
compromise other e-mail accounts. 

It is quite feasible for an automated worm to be written in such a way 
that it spreads through the enumeration of user address books. Such a worm
would quickly propagate as future attack e-mails would arrive from known 
and trusted e-mail addresses. 

Once a user's Hotmail cookie has been stolen, an attacker has the ability 
to gain full control over the user's account until the user logs out or 
the session times out. (Hotmail's default setting is to never timeout). 
During that time, an attacker could read, remove, and store all e-mails, 
as well as send e-mails from the compromised account. 

The ability to execute arbitrary Hotmail actions allows an attacker to set
any option that the targeted user could normally set under the Options 
menu. This includes redirecting all e-mail to the deleted folder and 
modifying the user's name or e-mail signature. 

For further information on this class of attacks, refer to "The Evolution 
of Cross-Site Scripting Attacks," an iDEFENSE White Paper available at 
http://www.idefense.com/papers.html .


IV. DETECTION

All Hotmail users were vulnerable to the above-descibred attacks before
Microsoft resolved the issues.

V. VENDOR FIX

Microsoft fixed this issue in hotmail on 11/04/2002. 


XI. DISCLOSURE TIMELINE

10/08/2002	Issue disclosed to iDEFENSE
10/31/2002	Issue disclosed to Microsoft (secure@microsoft.com)
10/31/2002	Response received from secure@microsoft.com (Terri Forslof)
11/01/2002	iDEFENSE Clients notified
11/05/2002	Response received from secure@microsoft.com indicating 
                 issue was resolved at 3:00pm PST 11/04/2002
12/20/2002 	Public Disclosure

X. CREDIT

David Zentner (David@cgishield.com) discovered this vulnerability.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F

iQA/AwUBPgOJsvrkky7kqW5PEQI5QQCcCTWhcFmBJBeJHGvKX93RMenStdIAoKYa
Nt9y0FDvT0jHhy49jT2qbSuo
=7i3V
-----END PGP SIGNATURE-----